How do I set up two-factor authentication (2FA) on my accounts?
Go to each account's security settings, choose two-factor authentication, and select an authenticator app rather than SMS — this single step dramatically reduces account-takeover risk.
Last reviewed: 10 June 2026
Explanation
Two-factor authentication (2FA) adds a second verification step to your login beyond your password. Even if an attacker has your password, they cannot log in without also having the second factor. It is one of the highest-impact security measures available to ordinary consumers, and enabling it on your email account is the most important starting point because email is the recovery method for nearly everything else.
There are several types of 2FA. SMS codes are the most common but the weakest, because they can be intercepted via SIM-swap attacks. Time-based one-time password apps (TOTP) — such as Google Authenticator, Authy, or Microsoft Authenticator — generate a six-digit code on your phone that changes every 30 seconds. This code never leaves your device and cannot be intercepted via SIM swap. Hardware security keys (YubiKey, Google Titan) are the strongest option: they require physical access to the device, making phishing and remote attacks essentially impossible.
To enable 2FA, go to the account's settings menu and look for sections labelled 'Security,' 'Privacy,' or 'Login.' The option is typically labelled 'Two-factor authentication,' 'Two-step verification,' or '2-Step Verification.' Select the authenticator app option, scan the QR code displayed on screen with your authenticator app, and enter the six-digit code to confirm the setup. Save the backup codes somewhere safe — printed or in a secure offline location — in case you lose access to your phone.
Prioritise these accounts in order: primary email, banking and investment accounts, main social media, cloud storage, and password manager. Once your email is protected, attackers cannot reset your other accounts even if they have your passwords.
Common red flags
- Any important account that only requires a password to log in
- Receiving a 2FA code you did not request — indicates someone has your password
- An authenticator app prompting you to approve a login you did not initiate
- Your phone suddenly stops receiving SMS messages (possible SIM swap in progress)
What to do now
- Download a reputable authenticator app (Google Authenticator, Authy, or Microsoft Authenticator)
- Enable 2FA on your primary email account first
- Enable 2FA on your banking, investment, and payment accounts
- Enable 2FA on your password manager if you use one
- Save backup codes in a secure offline location for each account
- Review 2FA settings annually and remove old devices from your trusted list
Frequently asked questions
What if I lose my phone and cannot get my 2FA codes?
This is why backup codes matter. When you enable 2FA, most services provide single-use backup codes. Store these in a safe place offline (printed and locked away, or in an encrypted document). Authy also backs up your codes to the cloud so you can restore them on a new device.
Is 2FA available on all websites?
Not all sites offer 2FA, but most major services do. The directory at 2fa.directory lists which services support it. If a financial service does not offer 2FA, consider switching to one that does.
Do I need 2FA if I use a strong password?
Yes. Strong passwords protect against brute-force guessing but not against phishing, credential dumps from other breaches, or malware that captures what you type. 2FA protects even when your password is already known to the attacker.